[00:00.000 --> 00:05.700]  Thank you so much. And hi everyone, good morning, good afternoon, good evening, wherever you are. I
[00:05.700 --> 00:10.480]  hope I got one of them right. So we're going to talk about how to get rights for hackers.
[00:11.060 --> 00:17.340]  And let's dive into it, shall we? First things first. I want to just let you guys know that
[00:17.340 --> 00:21.620]  this talk is completely dedicated to all the hackers who've been scared to disclose,
[00:22.240 --> 00:26.780]  to all the hackers who've been prosecuted for trying to do something good, and to all the
[00:26.780 --> 00:33.460]  people who are in the fight to bring rights for hackers. For those that don't know who I am,
[00:33.460 --> 00:38.140]  my name is Chloe Mazzotti. I am the VP of Strategy over at Point3 Security, and when I'm not there,
[00:38.140 --> 00:44.080]  I'm an ethical hacker advocate. I'm basically fighting for your rights, and then also trying
[00:44.080 --> 00:49.240]  to do whatever I can to improve our hacker community. I'm the president and co-founder
[00:49.240 --> 00:54.040]  of Wozzeck, which is Women of Security, and the founder WeAreHackers, formerly known as Women
[00:54.040 --> 01:00.680]  Hackers. I'm also the podcaster for ITSP Magazine, The Uncommon Journey, and when I'm not doing that,
[01:00.680 --> 01:06.420]  I'm also a Hacker Book Club organizer. Basically, we read a book about the hacker community or
[01:06.420 --> 01:12.000]  written by someone in the hacker community. And basically, we read a new book every month,
[01:12.000 --> 01:17.560]  and it's every Tuesday at 5 p.m. Pacific time when we meet. And yes, the author and people
[01:17.560 --> 01:22.000]  mentioned in the books do attend. Our upcoming one is going to be Tribe of Hackers and
[01:22.000 --> 01:27.400]  Red Team Edition, so you should come and join. That is my website, so feel free, if you want to
[01:27.400 --> 01:33.180]  know anything about me, it's most likely on there. And yes, my Twitter and Instagram, the DMs are
[01:33.180 --> 01:40.120]  always open, so if you do have other questions or anything like that, feel free to DM me at any time.
[01:42.560 --> 01:46.960]  So we're first going to dive into the current landscape. I know this is scary,
[01:46.960 --> 01:54.260]  but let's dive in it together. So first things first, Equifax. I would say usually raise your
[01:54.260 --> 02:00.300]  hand if the Equifax breach impacted you, but let's be real, let's just pretend, okay?
[02:00.580 --> 02:04.960]  But did you know a secure researcher warned Equifax that it was vulnerable to the kind of
[02:04.960 --> 02:09.940]  attack that later compromised the personal data of more than 147 billion Americans?
[02:09.960 --> 02:14.780]  And this was reported by Motherboard. Six months after the researcher first notified the company
[02:14.780 --> 02:19.440]  about the vulnerability, Equifax patched it, but only after the massive breach that made headlines
[02:19.440 --> 02:26.440]  had already taken place, according to Equifax on the timeline. But the real question is,
[02:26.440 --> 02:33.520]  but what if no one reported the breach? And it happens often because hackers don't report a
[02:33.520 --> 02:38.120]  breach due to the fear of prosecution. This statistic was discovered by the hard worker
[02:38.120 --> 02:43.540]  Amit Elzari, who knows our laws prevent good hackers from doing what they do best, protecting
[02:43.540 --> 02:49.000]  you and me and everyone we love. She has been spearheading this movement towards safe harbor,
[02:49.000 --> 02:57.100]  and that is her at the corner. So why are hackers scared? Well, besides prosecution, looking for
[02:57.100 --> 03:02.440]  contact information and reading the policies have been a burden to reporting vulnerabilities.
[03:02.460 --> 03:08.660]  Think about it. Sometimes when we find something we want to report, it can take hours, days,
[03:08.660 --> 03:13.160]  weeks, and then we get to a point like, what is, should I even keep trying at this point?
[03:13.360 --> 03:19.920]  To try to find the right contact information to disclose is a burden on you. This is why it's
[03:19.920 --> 03:23.880]  important to have like these vulnerability disclosure programs or bug bounty programs,
[03:23.880 --> 03:28.680]  because at least you feel like you have some sort of protection, and you know who to contact,
[03:28.680 --> 03:33.900]  you know the policies, you know what's in scope, what's out of scope, way ahead of the time.
[03:34.900 --> 03:43.220]  But I want to first dive into this case. So after DJI, the drone manufacturer recently launched a bug
[03:43.220 --> 03:51.640]  bounty program. Two researchers, Sean and Kevin, basically were looking at their scope. For the
[03:51.640 --> 03:55.860]  scope, the bug bounty program covers all the security issues in firmware, application, and
[03:55.860 --> 04:02.120]  servers, including source code leak, security workaround, privacy issues. Now, Kevin, he emailed
[04:02.120 --> 04:08.620]  them to confirm the scope to be safe. It took them two weeks to finally confirm the scope. He then
[04:08.620 --> 04:15.160]  reported the vulnerability, and he was provided with $30,000 for the finding. However, the agreement
[04:15.160 --> 04:21.960]  of receiving it offered no legal protection for him. So he did what most people should be doing,
[04:21.960 --> 04:27.520]  which is, he walked away. The revelations resulted in the company challenging the researcher's
[04:27.520 --> 04:32.600]  findings and seemingly threatening one with a lawsuit tied to the Computer Fraud Abuse Act, also
[04:32.600 --> 04:38.600]  known as CFA. They claimed that basically he went out of scope, regardless of the fact that he made
[04:38.600 --> 04:44.400]  sure to confirm the scope. In return, he posted the entire situation with all conversations with
[04:44.400 --> 04:51.120]  the DJI publicly. And if you see that link, you'll be able to see his blog to see what happened. I
[04:51.120 --> 04:56.320]  think one of the things, the best part that I read on there was there was this moment when DJI didn't
[04:56.320 --> 05:02.900]  know that when they respond to his email, there was an internal chain going on, basically saying
[05:02.900 --> 05:08.380]  he's putting them at risk, and they should do everything possible to prevent the risk,
[05:08.380 --> 05:16.740]  including lawsuits and bad PR for them. But this case, it did get dropped, and they did get bad PR for this.
[05:19.220 --> 05:24.300]  But language and what is in scope and or out of scope when disclosing or how to disclose
[05:24.300 --> 05:30.500]  can be so scary, and potential indictments, especially. It could keep all parties awake at
[05:30.500 --> 05:36.920]  night. And I know it has done for me, and I know that you probably too. But program managers,
[05:36.920 --> 05:42.200]  overall, they're always asking to be hacked, but not hacked badly. And how to conduct, handle
[05:42.200 --> 05:47.620]  situations when researchers report something is something that they need to work on too as well.
[05:47.660 --> 05:53.920]  But overall, organizations and governments all know it's probably needed at this time, as you
[05:53.920 --> 06:00.860]  can see on this slide. And I know, once again, this is a scary subject, and we're going to keep getting
[06:00.860 --> 06:06.960]  into the more scary, scary parts of the subject. But here are some puppies to lift your spirits.
[06:07.000 --> 06:14.160]  And yes, there is a picture for the cat lovers as well. So if you see the cat, bravo. And no,
[06:14.160 --> 06:21.160]  Sherlock and Luna is not on here. All right, so why are they scared? Let's dive into this a little
[06:21.160 --> 06:26.140]  bit more. Even though ethical hackers are not malicious actors, they're still being seen and
[06:26.140 --> 06:29.960]  treated as such by the public. And because of this, it reduces the chance of reporting
[06:29.960 --> 06:34.680]  vulnerability and can cause hackers to go to the dark side because they're seen as the same by the
[06:34.680 --> 06:39.740]  public. To the left is what you see when typing in criminal hackers, and to the right is ethical
[06:39.740 --> 06:47.480]  hackers. Once again, there's this dark hoodie darkness, sometimes with a ski mask. But I want
[06:47.480 --> 06:52.920]  to also point out that it's not just the imagery, it's also the language used in the media,
[06:52.920 --> 06:58.720]  seen as in marketing and press. So anytime I say media, it's marketing and press. And marketing
[06:58.720 --> 07:05.620]  could be even for infosec companies. You find this often. Using the term hacker as someone who
[07:05.620 --> 07:11.400]  is seen as a criminal is incorrect. They should be using the term attacker, cyber criminal,
[07:11.400 --> 07:16.700]  malicious actor, and so on. Unless they're reporting something good about us, then they can definitely
[07:16.700 --> 07:24.200]  do a hacker thing. So you're probably wondering, how does this imagery and language impact us?
[07:24.200 --> 07:29.780]  It continues to feed the fear and stereotypes, the biases that exist through social construction.
[07:30.600 --> 07:36.080]  And of course, if you have attended any of my talks before, I am obsessed with the brain, so
[07:36.080 --> 07:42.340]  we're going to talk about the brain today. So what is really important is to understand how fear works
[07:42.340 --> 07:49.580]  in your brain. So first of all, I want you to take a look at this. So fear is usually based around your
[07:49.580 --> 07:55.800]  amygdala, which is like this almond shaped, and it's the size of an almond, believe it or not,
[07:55.800 --> 08:01.620]  inside your brain within the temporal lobe. It is the part where your emotions are attached to
[08:01.620 --> 08:07.200]  memories. So for example, if you have a nightmare, you're going to recall it a little bit more because
[08:07.660 --> 08:12.700]  a strong emotion was attached to it. Versus if it's just a regular dream, you might not remember
[08:12.700 --> 08:20.160]  it, but you will always remember a dream where it is extremely happy or extremely scary.
[08:20.520 --> 08:25.120]  So think of that. Anyway, the thing that you might know about the amygdala is usually the fight
[08:25.120 --> 08:31.480]  versus flight mechanism. And what I really want to explain is fight versus flight mechanism is a
[08:31.480 --> 08:38.980]  great way to showcase what the amygdala is, but it also is this part of you that's subconscious,
[08:38.980 --> 08:45.360]  and it decides what's like you, who's not like you. And based on that belief itself,
[08:45.360 --> 08:51.600]  you put people into categories of people to trust, people not to trust. And so for example,
[08:51.600 --> 08:58.420]  the amygdala, because it's stored in your memory section of your brain, it's also dictating
[08:58.420 --> 09:04.060]  subconsciously whatever socially constructive beliefs that you've had. And if you're wondering,
[09:04.060 --> 09:10.380]  what is a socially constructive belief? It's just any time when you were growing up or, you know,
[09:10.380 --> 09:16.160]  you had a teacher tell you that this is unsafe, your parents tell you that's not safe, or like
[09:16.820 --> 09:24.000]  anything that you've seen in movies, TV, indirectly, it's letting you know some memory for you to hold
[09:24.000 --> 09:31.420]  on to. Now, I want to give you kind of a better example here. So I always tell people, think about
[09:31.420 --> 09:37.420]  this way. You were growing up and you watched a bunch of movies as a kid. And every time someone
[09:37.420 --> 09:43.280]  had pink hair, they were the criminal, the villain in it. And not just that, but also you see on the
[09:43.280 --> 09:48.240]  news, people with pink hair are dangerous individuals, they're committing all the crimes.
[09:48.240 --> 09:54.940]  You read in textbooks, you read from teachers' letters, you read everything just showcasing that
[09:54.940 --> 10:00.240]  people with pink hair are dangerous. So when you see someone with pink hair at this point,
[10:00.240 --> 10:05.300]  you will probably clutch your bag a little bit closer, or you might cross the street,
[10:05.300 --> 10:10.020]  or you might actually lock your car doors when you see someone with pink hair.
[10:10.440 --> 10:16.660]  And I know that sounds like, but the person just has pink hair could. The thing is that you have
[10:16.660 --> 10:22.900]  been led to believe that someone with pink hair is someone dangerous. And that's a socially
[10:22.900 --> 10:29.400]  constructive belief. And the amygdala will always act on socially constructive beliefs when it comes
[10:29.400 --> 10:35.580]  to survival. So if it's known that someone with pink hair is dangerous, thus you will react in the same
[10:35.580 --> 10:44.040]  way. So the good news though is that it has to verify. So the prefrontal cortex acts kind of
[10:44.040 --> 10:48.940]  like the CEO in the brain. So this is completely conscious now. So what happens is the amygdala
[10:48.940 --> 10:55.000]  sends a message saying, warning, someone with pink hair is right behind you. And then your
[10:55.000 --> 11:01.800]  prefrontal cortex thinks, okay, I can either cross the street, or I can go into a building,
[11:01.800 --> 11:08.700]  or I can clutch my bag a little bit closer, or I can look behind me to be on top of everything,
[11:09.240 --> 11:16.620]  or I just ignore the threat. So the prefrontal cortex then, you decide which action to take,
[11:16.620 --> 11:22.960]  and it sends the message back to the amygdala to act on that action. But the one thing to note
[11:22.960 --> 11:28.660]  about is that you are completely conscious about it, and you're making that decision.
[11:28.720 --> 11:35.900]  But the good news is that there's still this validation. So people's biases, socially
[11:35.900 --> 11:41.000]  constructed beliefs, or whatnot, can always be challenged. And the best way how to do with that
[11:41.000 --> 11:46.140]  is through stories, hearing people's personal stories. So for example, in the same pink hair
[11:46.140 --> 11:54.240]  situation, if the person with pink hair made a YouTube video talking about how it's so terrible
[11:54.240 --> 12:00.360]  for them, because every time someone sees them, they see them as a criminal, and how that prevents
[12:00.360 --> 12:06.060]  them getting a job, how that prevents them getting where they need to go, how, for example,
[12:06.060 --> 12:13.480]  cops are called on them just for being outside, and how society as a whole isn't doing enough
[12:13.480 --> 12:20.900]  to understand that it's just because the person has pink hair. There's nothing else than that.
[12:21.360 --> 12:27.040]  So now if you put in a lens of a hacker, you probably have experienced once or twice,
[12:27.040 --> 12:30.960]  where when you tell someone you're a hacker, or you work in the hacker community,
[12:30.960 --> 12:35.380]  the next thing you know is that they take a step back, or the mouth kind of drops, or their eyes
[12:35.380 --> 12:41.620]  get bigger. They just get afraid. Because the thing is, is that our world has been socially constructed
[12:41.620 --> 12:49.900]  to see hackers as criminals, as a blanket for all hackers. And instead of thinking them as not just
[12:49.900 --> 12:55.900]  hackers, there's a difference between a hacker and an attacker, because they haven't learned that yet.
[12:55.900 --> 13:01.500]  And because our personal stories are not really out there yet either. And that's the problem.
[13:04.220 --> 13:11.840]  So what happens is, for the hacker situation, is that because of the mindset set by society,
[13:11.840 --> 13:17.240]  by people in the media, that's keeping us unsafe and preventing hackers what they do well in.
[13:17.280 --> 13:21.520]  Companies are afraid of hackers and don't want to create vulnerability disclosure policies because
[13:21.520 --> 13:26.440]  of the lack of a bilateral trust amongst hackers and organizations and government. It's one of the
[13:26.440 --> 13:32.200]  reasons why 60% do not report vulnerabilities. Hackers are scared of outdated laws such as CFA
[13:32.200 --> 13:38.260]  and DMCA. Also from interviewing attackers, one of the reasons they decide to move away from ethical
[13:38.260 --> 13:43.160]  hacking is the pay and the constant worrying of being prosecuted regardless if they did something
[13:43.160 --> 13:49.220]  legal. This is stated also similarly by those who switch from being an attacker to a hacker.
[13:49.220 --> 13:53.340]  The reason they switched was the insomnia of being arrested. Because there are cases
[13:53.340 --> 13:58.500]  when organizations prosecute ethical hackers regardless if they were in scope.
[14:00.900 --> 14:05.640]  So which leads us to needing to dive into the current legislation that can be found in most
[14:05.640 --> 14:12.280]  countries towards hackers. And this is worldwide legislation. So every country around the world
[14:12.280 --> 14:17.540]  has anti-hacking laws, anti-circumvention laws, also known as copyright type of laws,
[14:17.540 --> 14:23.920]  acceptable use policy. So let's first dive into the Computer Fraud Abuse Act. And every country
[14:23.920 --> 14:29.940]  has their own, but the U.S. is the first one I think who put it first. So let's dive into that
[14:29.940 --> 14:35.100]  one. The Computer Fraud Abuse Act in the U.S. cybersecurity bill that was enacted in 1984
[14:35.100 --> 14:40.300]  as an amendment to existing computer fraud law, which has been included in the Comprehensive
[14:40.300 --> 14:46.240]  Crime Control Act of 1984. The law prohibits accessing a computer without authorization
[14:46.240 --> 14:51.640]  or in excess of authorization. Also to be used when a researcher tends to go out of scope,
[14:51.640 --> 14:59.640]  this act is used to prosecute hacking. Random fact, who here has heard of war games? Okay,
[14:59.640 --> 15:04.080]  did you know that Ronald Reagan, he watched it and freaked out about hackers and he's like,
[15:04.080 --> 15:09.900]  we gotta do something! So he pushed for CFA to happen. Now let's dive into anti-circumvention
[15:09.900 --> 15:15.500]  laws, so the copyright laws. So in Canada you have the copyright law, believe it or not, super easy.
[15:15.500 --> 15:20.420]  In the U.S. we have the DMCA, the Digital Millennium Copyright Act, and it was enacted in
[15:20.420 --> 15:26.300]  1998. The U.S. copyright law that implements two 1996 treaties of World Intellectual Property
[15:26.300 --> 15:32.160]  Organization, WIPO. Basically it's the right to repair. Reverse engineering is seen as a breach
[15:32.160 --> 15:39.160]  of property. Let's dive into acceptable use policy. Now who here has ever read their terms
[15:39.160 --> 15:43.960]  and conditions? Say, for example, an Apple product. So I got trapped, I tried it, I got
[15:43.960 --> 15:48.420]  really bored, and I decided to watch a movie instead. But in general, they can be long and
[15:48.420 --> 15:52.700]  too much verbiage. It can confuse anyone, especially if English is not their first language.
[15:52.700 --> 15:58.380]  And you're not an attorney. I'm not an attorney, by the way. But the thing is, is that this can
[15:58.380 --> 16:03.340]  lead to some serious miscommunication issues for ethical hackers that don't really speak English.
[16:03.900 --> 16:09.080]  Clearly these laws' overall takeaway is they're old and out of date. And honestly,
[16:09.080 --> 16:15.960]  they were created out of fear. And you know now about fear. By not having empathy or taking the
[16:15.960 --> 16:21.580]  time to understand what is actually needed and why laws should only prosecute malicious actors,
[16:21.580 --> 16:27.440]  aka criminals, and not good hackers. Because at that time, and still to this day, a lot of
[16:27.440 --> 16:33.140]  legislators and politicians still don't know that hackers are good people. There's a difference
[16:33.140 --> 16:40.900]  between a malicious actor, an attacker, a cyber criminal, and a hacker. Overall takeaway from
[16:40.900 --> 16:44.660]  here is that there are laws that prevent good hacking in the same way that they prevent
[16:44.660 --> 16:50.520]  attackers. And we need good hacking, especially during COVID-19, you guys.
[16:51.680 --> 16:58.700]  And I really hate the CFA, and I want to dive a little bit further into it, just for you to know,
[16:58.700 --> 17:03.560]  in case you don't know. So the Computer Fraud Abuse Act, once again, was passed in 1984,
[17:04.020 --> 17:09.920]  is grown wildly outdated in that it offers prosecutors discretion to threaten huge
[17:09.920 --> 17:16.120]  potential fines and jail sentences for relatively undisturbing violations of computer policy.
[17:16.960 --> 17:24.200]  First, the CFA was written, punishes exceeding authorized access to a protected computer,
[17:24.340 --> 17:29.360]  a phrase vague enough to inspire some broad interpretations. Another flaw in the CFA is the
[17:29.360 --> 17:34.320]  redundant provisions that enable a person to be punished multiple times for the same crime.
[17:34.320 --> 17:38.580]  These crimes can be stacked one on top of another, resulting in a threat of a higher
[17:38.580 --> 17:44.500]  cumulative fines and jail time for the exact same violation. This also allows prosecutors
[17:44.500 --> 17:49.840]  to bully defendants into accepting a deal in order to avoid facing a multitude of charges from a
[17:49.840 --> 17:56.540]  single, solitary act. It also plays a significant role in sentencing. This ambiguity of provision
[17:56.540 --> 18:02.640]  meant to toughen sentencing for repeat offenders in the CFA may, in fact, make it possible for
[18:02.640 --> 18:07.900]  defendants to be sentenced based on what should be prior convictions, but were nothing more than
[18:07.900 --> 18:14.040]  multiple convictions for the same crime. And this is why it's now important for us to talk about
[18:14.040 --> 18:22.000]  Aaron Swartz's case. For those that do not know Aaron Swartz's case, it basically started off in
[18:22.000 --> 18:28.000]  2011. Carmen Ortiz, the U.S. Attorney Office, charged Swartz with hacking into the MIT computer
[18:28.000 --> 18:34.380]  network to download millions of scholarly articles from JSTOR. An act of civil disobedience meant to
[18:34.380 --> 18:40.080]  protest the restricted access to research funded by taxpayers. For this, the U.S. Attorney brought
[18:40.080 --> 18:46.180]  charges that carried a maximum penalty of 35 years in prison and $1 million in fine. I want
[18:46.180 --> 18:54.380]  to pause there, because think about that. 35 years in prison for downloading articles? You know, first
[18:54.380 --> 19:04.100]  degree murder, life in prison? No, it's actually on 25 years, and yet he was facing 35.
[19:05.620 --> 19:12.320]  Going back to this, they were able to charge such years because of the way CFA is run and the issues
[19:12.320 --> 19:18.890]  that have yet to be sorted since it was made into a law. But overall, looking at Aaron's situation,
[19:19.260 --> 19:24.900]  you have to understand what he was going through. He was dealing with a 17-month legal battle,
[19:24.900 --> 19:31.540]  one that had no set trial date and wasn't ending anytime soon. And through Swartz's perspective,
[19:31.540 --> 19:37.880]  it must have been so overwhelming. And it was the future of this legal battle that
[19:37.880 --> 19:45.380]  cast into doubt that Swartz unfortunately hung himself in his apartment on January 11, 2013.
[19:45.620 --> 19:49.220]  And following his death, the federal prosecutors went on to drop the charges.
[19:49.540 --> 19:54.980]  His family said that the government's prosecution contributed to his decision to take his own life.
[19:56.320 --> 20:04.260]  In memory, and for what he went through, unfortunately, there was Aaron's Law. It
[20:04.260 --> 20:11.580]  didn't pass because a probably lobbyist, very heavy corporate lobbyist, didn't want it to pass.
[20:11.580 --> 20:16.980]  But what Aaron Law removes, the phrase exceeds authorized access and replaces it with access
[20:17.340 --> 20:22.920]  with authorization, which is defined as to obtain information on a computer that the accessor
[20:22.920 --> 20:28.160]  lacks authorization to obtain by not only circumventing technological or fiscal measures
[20:28.160 --> 20:33.680]  designed to prevent unauthorized individuals from obtaining that information. The other thing is that
[20:33.680 --> 20:38.860]  it would ensure people won't face criminal liability for violating the terms of service
[20:38.860 --> 20:43.440]  agreement and contracted agreements, but also limits penalties. In other words, there was no
[20:43.440 --> 20:53.440]  more duplicated charges. So no more stack on stack what Aaron went through. And with improvements to
[20:53.440 --> 21:05.000]  legislation, so to CFA, DMCA, with these changes, then we can have what we need today.
[21:05.680 --> 21:12.020]  And that is, we need to also talk about the other parts. So not only legislation, so we cover
[21:12.020 --> 21:17.780]  legislation, we talked about the media, the press, and whatnot. We also talked about organizations
[21:17.780 --> 21:24.320]  named vulnerability disclosure programs. And I want to dive into those three categories a little
[21:24.320 --> 21:30.640]  bit more because in order to have any rights or to get any public change, we have to work with
[21:30.640 --> 21:36.560]  three categories. So in order to have rights for hackers, we need to get the public on board. And
[21:36.560 --> 21:44.620]  in order to do so, we need to dive into organizations, legislation, and media. We need media to push for
[21:44.620 --> 21:48.940]  public to become aware. In other words, we need to change the language and imagery of a hacker and
[21:48.940 --> 21:54.640]  start using the term cybercriminals for those who commit unethical hacking over really separate the
[21:54.640 --> 22:00.560]  two groups. In order to help the press, organizations need to be on board with bilateral trust, with
[22:00.560 --> 22:05.200]  having vulnerability disclosure programs, by showing they support hackers, the public changes
[22:05.200 --> 22:11.180]  their view in general. Lastly, to have organizations and public opinion to push and motivate Capitol
[22:11.180 --> 22:16.020]  Hill to get on board and update the current legislation that will protect ethical hackers.
[22:16.020 --> 22:21.520]  Overall, we need all three to be supporting hacker rights for it to become a reality.
[22:22.580 --> 22:30.740]  So how do we get there? You're probably wondering. So these are the five needs. And this is the way
[22:30.740 --> 22:37.200]  how we can push for awareness of ethical hackers needing rights. Now, how we get there, I'm going
[22:37.200 --> 22:43.060]  to need your help. Overall, we need to work with the media, we need society to notice that we're
[22:43.060 --> 22:47.920]  everyday heroes, we need organizations to have a vulnerability disclosure program, and we need
[22:47.920 --> 22:53.540]  representatives to update today's legislation. But how we do that, we have to change the imagery
[22:53.540 --> 23:00.340]  that the press is doing too. So the first step is this petition is for anyone out there that
[23:00.340 --> 23:05.240]  supports ethical hackers and want to bring about a change is the first step that I'm working on to
[23:05.240 --> 23:12.080]  bring attention to this matter. And we have over 1000 signatures. And honestly, it's really it's
[23:12.080 --> 23:17.160]  broken down by organizations, legislators, and the media and the hacker community. And anyone can sign
[23:17.160 --> 23:23.740]  this who agrees with it. So you can also share it around and sign it yourself. And it could be
[23:23.740 --> 23:27.760]  friends and family. It doesn't have to be everyone has to be a hacker who signs this. It could be
[23:27.760 --> 23:36.800]  anyone who believes that we deserve rights. The second step, tell the press. So anytime you see
[23:36.800 --> 23:44.360]  the press reporting hackers in a bad light, correct them, write a comment below in the story,
[23:44.360 --> 23:51.620]  tag them in a tweet, letting them know the term is actually cyber criminal and attacker, not hacker.
[23:51.620 --> 23:57.400]  Hacker are good people. So you need to do that. The other thing is calling them out when they
[23:57.400 --> 24:04.260]  use the dark hoodie imagery, or the ski mask, which is still to my mind is the worst thing ever.
[24:05.220 --> 24:10.360]  We need to do fact checks. And that's how you do it is unfortunately, you kind of have to publicly
[24:10.360 --> 24:17.760]  shame them till they get it right. And also, if you're someone who is interviewed by any
[24:17.760 --> 24:24.040]  journalist or anything like that, please make sure to keep enforcing them and let them know to use
[24:24.040 --> 24:32.620]  the term attacker versus hacker when reporting a breach. I've been doing that since I can do it.
[24:32.840 --> 24:37.680]  But it's going to take all of us and Chris Roberts has been great also doing that kind of stuff. So
[24:37.680 --> 24:45.360]  push out there, let them know they got the wrong term and the wrong imagery. So basically, everyone
[24:45.360 --> 24:52.780]  gets a fact check. The third step is the push for organizations to partner and campaign with us.
[24:52.780 --> 25:00.220]  We need companies, we need orgs to come out, even government agencies can too, basically to come out
[25:00.220 --> 25:06.980]  publicly saying like, we stand with the ethical hackers, and it's time to change things or to push
[25:06.980 --> 25:14.140]  for vulnerability disclosure programs to other companies, organizations and so on. So they're
[25:14.140 --> 25:20.580]  also aware of that this is a need now at this point. Also to push for organizations to have a
[25:20.890 --> 25:27.660]  like I just said, it's really important that we do that because I am so tired of having to spend
[25:27.660 --> 25:34.100]  hours, days and weeks to find some information of who to contact and what's in scope, what's not in
[25:34.100 --> 25:40.700]  scope. This is so important. Every company should have that at this point, because they need us
[25:40.700 --> 25:47.740]  more than ever before. The fourth step, contact your local representatives to update current
[25:47.740 --> 25:54.820]  legislation. So let them know that they need to change something, set up 10 minute appointments
[25:54.820 --> 26:01.300]  virtually, or try whatever you can to work with other groups of people that want to volunteer to
[26:01.300 --> 26:06.880]  go and approach representatives. And especially the ones that you need to be focusing on is your
[26:06.880 --> 26:12.640]  local and state because those are the ones that we're having some serious problems with.
[26:13.160 --> 26:20.420]  And also last but not least, follow the Van Buren U.S. case. And there's a reason for that in the fall
[26:20.420 --> 26:26.120]  the CFA is going to be revisited in Supreme Court. So please take a look at it, follow it, and also
[26:26.120 --> 26:33.560]  contact your representatives around it. The fifth step, support wonderful groups like this. So I'm
[26:33.560 --> 26:42.020]  the Calvary Disclosed.io, CERT Coordination Center, CERT CC, EFF and CTI League. It's really,
[26:42.020 --> 26:47.400]  that we work together and support one another and contact them to find out how they can do better
[26:47.400 --> 26:53.600]  or how you can help. So main takeaways overall, we need to push for awareness of ethical hackers
[26:53.600 --> 27:00.960]  and to let people know how we really are and our stories matter and how we get there. These are the
[27:00.960 --> 27:07.620]  main takeaways and I might need your advice and assistance if you want some. But most importantly,
[27:07.620 --> 27:14.100]  I want to remind you that the change starts with you and me. It's never too late and we must not
[27:14.100 --> 27:20.640]  give up because we must continue to fight for rights and this is a time that we do so.
[27:22.020 --> 27:28.480]  I want to first say thank you guys, everyone at IoT Village for selecting my talk to be a keynote.
[27:28.480 --> 27:33.500]  I want to also thank you guys for participating. So thank you all for existing. I also want to
[27:33.500 --> 27:41.780]  give a big shout out to Bo Woods and Harley Geiger. They helped basically put more ideas
[27:41.780 --> 27:47.780]  in my head for this conversation. Thank you guys so much and thank you IoT Village once again.
[27:47.780 --> 27:52.260]  Thank you guys for assisting and please stay safe and enjoy the rest of your DEF CON weekend.
